Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.
Eonix, Canada
173.213.93.203
clostescape.com
Zerigo, US
173.248.190.37
chilleloot.com
Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com
Ixvar, Canada
174.142.247.164
clostery.com
Hostforweb, US
205.234.187.6
sulusient.com
Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com
Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com
Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com
Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com
Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com
Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com
Showing posts with label Linode. Show all posts
Showing posts with label Linode. Show all posts
Thursday 26 January 2012
NACHA Spam / chillechart.com and chillepay.com
More fake NACHA spam leading to malware, this time the malicious payload is at chillechart.com on 96.126.96.123 (Linode, New Jersey).
This follows the same pattern we have seen over the past few days. A Wepawet report for the malicious page is here. Blocking the IP address rather than the domain should block any other malicious sites on the server.
Update: chillepay.com is also being used in this spam run, hosted on 69.164.199.231 (also Linode)
Date: Thu, 25 Jan 2012 10:40:06 +0100
From: "alerts@nacha.org" [alerts@nacha.org]
Subject: Your pending ACH debit transfer
Dear Account Holder,
This message includes an important notice about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #: 766253676295142
Transaction status: pending
In order to resolve this matter, we prompt you to check the details of your transaction using the link below.
Faithfully yours,
Stephanie Barrera
Accounting Department
This follows the same pattern we have seen over the past few days. A Wepawet report for the malicious page is here. Blocking the IP address rather than the domain should block any other malicious sites on the server.
Update: chillepay.com is also being used in this spam run, hosted on 69.164.199.231 (also Linode)
Monday 19 December 2011
FDIC spam / splatstack.net
More FDIC spam leading to malware, this time at splatstack.net.
The link goes via a couple of hacked sites to a malicious payload splatstack.net/main.php?page=abfd0d069b45c17e hosted on 173.255.253.115 (Linode). Blocking access to that IP address will probably be prudent.
Date: Mon, 19 Dec 2011 05:32:49 -0600
From: "Greta Bullock"
Subject: Blockage of your transactions
Attn: Financial Department
By this message we would like to inform you about the latest amendments in the Federal Deposit Insurance Corporation coverage rules. During the period from December 31, 2010 to December 31, 2012 all funds in a "noninterest-bearing transaction account" are provided with a full insurance coverage by the Federal Deposit Insurance Corporation. Please note, that this arrangement is temporary and separate from the Federal Deposit Insurance Corporation's basic insurance rules.
The term "noninterest-bearing transaction account" implies a usual checking account or demand deposit account on which the insured depository institution pays no interest. For more information about this temporary FDIC unlimited coverage, please refer to: http://iimtstudies.com/e3f4e0/index.html
Yours faithfully,
Greta Bullock
Federal Deposit Insurance Corporation
The link goes via a couple of hacked sites to a malicious payload splatstack.net/main.php?page=abfd0d069b45c17e hosted on 173.255.253.115 (Linode). Blocking access to that IP address will probably be prudent.
Tuesday 13 December 2011
NACHA Spam / badthen.com
More NACHA spam, this time leading to a malicious payload on badthen.com. Stupidly (again) the NACHA email appears to come from linkedin.com.
The malware is on badthen.com/main.php?page=977334ca118fcb8c hosted on 173.230.130.158 (Linode, US). Blocking the IP address will block any other malware domains on the same server.
Date: Wed, 14 Dec 2011 05:36:48 +0900
From: "LinkedIn" [linkedin@em.linkedin.com]
Subject: ACH transfer suspended
The ACH transaction (ID: 137297301664), recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
Rejected transfer
Transaction ID: 137297301664
Rejection Reason See details in the report below
Transaction Report report_137297301664.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
© 2011 NACHA - The Electronic Payments Association
The malware is on badthen.com/main.php?page=977334ca118fcb8c hosted on 173.230.130.158 (Linode, US). Blocking the IP address will block any other malware domains on the same server.
NACHA Spam / sadjumped.com / downloaddatafast.serveftp.com
More fake NACHA spam, this time leading to a malicious payload site on downloaddatafast.serveftp.com/main.php?page=977334ca118fcb8c on 173.230.137.34 (Linode, US).
serveftp.com is related to no-ip.com, if you block that domain then you should probably block serveftp.com as well. Blocking 173.230.137.34 would protect against any other malicious sites on the same server.
Update: another spam run is in progress using a domain sadjumped.com on the same server.
Date: Tue, 13 Dec 2011 14:15:51 +0100
From: "LinkedIn" [linkedin@em.linkedin.com]
Subject: ACH transaction not accepted
The ACH transfer (ID: 82065701523728), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.
Canceled transfer
Transaction ID: 82065701523728
Rejection Reason See details in the report below
Transaction Report report_82065701523728.doc (Microsoft Word Document)
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
© 2011 NACHA - The Electronic Payments Association
serveftp.com is related to no-ip.com, if you block that domain then you should probably block serveftp.com as well. Blocking 173.230.137.34 would protect against any other malicious sites on the same server.
Update: another spam run is in progress using a domain sadjumped.com on the same server.
Friday 15 January 2010
zoombanner.com / YieldManager malvertisement on ebuddy.com
ebuddy.com is running a malicious ad on the zoombanner.com domain, apparently managed by Yieldmanager.
First, the "legitimate" end of the malware chain loads at ad.zoombanner.com/content?campaign=1171557&sz=6
This forwards to deliver.commismanderakis.com/rotate?m=2;b=6;c=1;z=585778
Which goes to content.fishpotboutademalled.com/track/3388182/S_IT?[snip]
Then img.commismanderakis.com/img?XAhIPWtICDkJX0FVHXUDKFoRYhYlRxFCNlsBGEhLBEtVdRdiCRYKBA8kKV9RHBEaXFJfXFMHAQ
Followed by the payload domain at jduvazuc.info/cgi-bin/dep
then jduvazuc.info/cgi-bin/dep/j006102Hd793447cR55e239b8T9cc338b5V0100f060203L69740000000000000000
then jduvazuc.info/cgi-bin/dep/o006102203317l0010Hd793447cR55e239b8T9cc338b6V0100f060
Finally jduvazuc.info/cgi-bin/dep/e006102203318l0010Hd793447cJ0d000601R55e239b8T9cc338a4U0ec2fc77V0100f0600
This last hop tries to load an executable (and probably some other crap I haven't spotted), not very well detected according to VirusTotal. Oh yes, there's a PDF exploit too.
The malicious ad is an Italian language vacation banner in this case.
Most of the domains have anonymous registration details, except zoombanner.com which has the same details that were used in the malicous ads featured here and here.
A search for the IP addresses show Linode is providing most of the infrastructure (again) with ezzi.net providing the payload server.
ad.zoombanner.com
69.164.215.205, 69.164.215.204 [Linode]
deliver.commismanderakis.com
74.207.232.205, 74.207.232.206, 74.207.232.248, 74.207.232.249, 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203 [Linode]
content.fishpotboutademalled.com
69.164.196.55 [Linode]
jduvazuc.info
216.150.79.74 [AccessIT / ezzi.net]
Incidentally, 69.164.196.55 also hosts a bunch of domains which are probably malicious:
First, the "legitimate" end of the malware chain loads at ad.zoombanner.com/content?campaign=1171557&sz=6
This forwards to deliver.commismanderakis.com/rotate?m=2;b=6;c=1;z=585778
Which goes to content.fishpotboutademalled.com/track/3388182/S_IT?[snip]
Then img.commismanderakis.com/img?XAhIPWtICDkJX0FVHXUDKFoRYhYlRxFCNlsBGEhLBEtVdRdiCRYKBA8kKV9RHBEaXFJfXFMHAQ
Followed by the payload domain at jduvazuc.info/cgi-bin/dep
then jduvazuc.info/cgi-bin/dep/j006102Hd793447cR55e239b8T9cc338b5V0100f060203L69740000000000000000
then jduvazuc.info/cgi-bin/dep/o006102203317l0010Hd793447cR55e239b8T9cc338b6V0100f060
Finally jduvazuc.info/cgi-bin/dep/e006102203318l0010Hd793447cJ0d000601R55e239b8T9cc338a4U0ec2fc77V0100f0600
This last hop tries to load an executable (and probably some other crap I haven't spotted), not very well detected according to VirusTotal. Oh yes, there's a PDF exploit too.
The malicious ad is an Italian language vacation banner in this case.
Most of the domains have anonymous registration details, except zoombanner.com which has the same details that were used in the malicous ads featured here and here.
zoombanner.com
Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States
Domain Name: ZOOMBANNER.COM
Created on: 24-Jul-09
Expires on: 24-Jul-10
Last Updated on: 24-Jul-09
Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --
Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --
Domain servers in listed order:
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM
A search for the IP addresses show Linode is providing most of the infrastructure (again) with ezzi.net providing the payload server.
ad.zoombanner.com
69.164.215.205, 69.164.215.204 [Linode]
deliver.commismanderakis.com
74.207.232.205, 74.207.232.206, 74.207.232.248, 74.207.232.249, 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203 [Linode]
content.fishpotboutademalled.com
69.164.196.55 [Linode]
jduvazuc.info
216.150.79.74 [AccessIT / ezzi.net]
Incidentally, 69.164.196.55 also hosts a bunch of domains which are probably malicious:
- Aspoutceringlapham.com
- Baalcootymalachi.com
- Bangywhoaswaikiki.com
- Bertbleepedupsurge.com
- Bluegumgodfulfrowzly.com
- Bookletjigsawsenam.com
- Boursesdeployporomas.com
- Cabullacoexertstephen.com
- Camastuthbroomer.com
- Camocaexcidealaric.com
- Cursarophitkamass.com
- Dunnishbribesteen.com
- Dusaexsurgeenzed.com
- Eelfishminibusdaniel.com
- Enyopensilflux.com
- Fishpotboutademalled.com
- Galasynjingkoendoss.com
- Gombayuranidetripper.com
- Haileschoralephydra.com
- Haredjuvenalalkyds.com
- Hoofishsmutsdela.com
- Jigmenbrasschaves.com
- Jumnamontanodillon.com
- Limanadernaggly.com
- Malabarvoiotiahsln.com
- Mashlampeasewahima.com
- Miauwbustianraynold.com
- Mowewindsortejo.com
- Nahshufrosterpappus.com
- Negreetflurtagma.com
- Nitrotowelvidovic.com
- Oaterhabeasroyalet.com
- Ospswraxledfummel.com
- Oundycelticrecomb.com
- Pcdosbahnerdalea.com
- Pealedlupulicdunker.com
- Polarlyfoetiskart.com
- Potwareabipondeana.com
- Psatchargeehewart.com
- Puddyolderrippon.com
- Sallierdiaushawed.com
- Sarddieterchuted.com
- Scullogmooerslarking.com
- Siwardupttorntrib.com
- Skouthlazordurning.com
- Suttenbnetifla.com
- Tacomanheathsdisodic.com
- Temperabiceswayaka.com
- Teughlyhesperegerek.com
- Toterterrenobrasero.com
- Vaccarykakkakcaddoan.com
- Viperanmeatsoths.com
- Viznomyboohoorigs.com
- Voluntyseventechny.com
- Wartedbiterhunter.com
- Woodardvirgetoruli.com
- Yawybottlersuccahs.com
- Zirklehalavahhaunchy.com
Labels:
Linode,
Malvertising,
Trojans,
Viruses
Thursday 14 January 2010
More malvertisment domains
The malicious ads were running through (and I understand now terminated by) bootcampmedia.com, related to this post, according to commenter cerdo:
traffic.worldseescolor.com
69.164.215.208, 69.164.215.210, 69.164.215.205, 69.164.215.207, 69.164.215.204 [Linode]
deliver.bailagequinismregrow.com
74.207.232.205, 74.207.232.250, 74.207.232.249, 74.207.232.248, 74.207.232.203, 74.207.232.30, 74.207.232.206, 74.207.232.31, 74.207.232.39, 74.207.232.25, 74.207.232.202, 74.207.232.35 [Linode]
img.bailagequinismregrow.com
174.143.243.220, 98.129.238.102, 98.129.238.106, 98.129.236.239, 174.143.245.236, 98.129.237.14, 174.143.242.109, 174.143.243.90, 98.129.236.154, 98.129.238.101, 98.129.238.112, 98.129.236.254, 174.143.241.174, 98.129.238.105, 98.129.238.103, 174.143.243.162, 174.143.242.58, 98.129.238.99
[Slicehost / Rackspace]
content.cabullacoexertstephen.com
69.164.196.55 [Linode]
aanserver88.com
67.225.149.152 [Liquid Web]
bonnapet.com
Was 217.20.114.40 [Netdirekt / internetserviceteam.com] now appears to be down.
afkenai.com
195.2.253.93 [Madet Ltd, Moscow]
bfskul.com
195.2.253.93 [Madet Ltd, Moscow]
I don't have the full trace of these, so it's not exactly clear what these domains are doing in the reported chain.
Blogger cerdo said...Worth checking your logs for and blocking in case they turn up on another network. Checking IPs comes up with:
bootcampmedia.com was also likely hosting a malicious campaign yesterday afternoon, and perhaps still ongoing. I'd contact you Jamie, but I don't have contact info for you. This all is clearly closely related to Dynamoo's post...
traffic.worldseescolor.com is an obvious bad actor. The other related domains:
deliver.bailagequinismregrow.com
img.bailagequinismregrow.com
content.cabullacoexertstephen.com
as well as:
aanserver88.com
bonnapet.com
afkenai.com
bfskul.com
14 January 2010 18:40
Blogger cerdo said...
Yep - saw traffic.worldseescolor.com via bootcamp again less than 30 minutes ago.
Related sites, accessed immediately after traffic.worldseescolor.com:
deliver.boaterdunnagechicot.com
img.boaterdunnagechicot.com
14 January 2010 18:45
traffic.worldseescolor.com
69.164.215.208, 69.164.215.210, 69.164.215.205, 69.164.215.207, 69.164.215.204 [Linode]
deliver.bailagequinismregrow.com
74.207.232.205, 74.207.232.250, 74.207.232.249, 74.207.232.248, 74.207.232.203, 74.207.232.30, 74.207.232.206, 74.207.232.31, 74.207.232.39, 74.207.232.25, 74.207.232.202, 74.207.232.35 [Linode]
img.bailagequinismregrow.com
174.143.243.220, 98.129.238.102, 98.129.238.106, 98.129.236.239, 174.143.245.236, 98.129.237.14, 174.143.242.109, 174.143.243.90, 98.129.236.154, 98.129.238.101, 98.129.238.112, 98.129.236.254, 174.143.241.174, 98.129.238.105, 98.129.238.103, 174.143.243.162, 174.143.242.58, 98.129.238.99
[Slicehost / Rackspace]
content.cabullacoexertstephen.com
69.164.196.55 [Linode]
aanserver88.com
67.225.149.152 [Liquid Web]
bonnapet.com
Was 217.20.114.40 [Netdirekt / internetserviceteam.com] now appears to be down.
afkenai.com
195.2.253.93 [Madet Ltd, Moscow]
bfskul.com
195.2.253.93 [Madet Ltd, Moscow]
I don't have the full trace of these, so it's not exactly clear what these domains are doing in the reported chain.
Labels:
Linode,
Malvertising,
Trojans,
Viruses
Tuesday 12 January 2010
BoingBoing.net / Bootcampmedia.com ad leads to malware
A malicious ad running on BoingBoing.net is delivering visitors to a PDF exploit.
Given the complicated state of advertising arbitrage, it is unlikely that BoingBoing.net have much control over it. The ad appears to be loading in from ad.yieldmanager.com (which is Yahoo!) and/or ad.z5x.net (DSNR Media Group) both of which are hosted on the same multihomed IP addresses.
The ad itself (pictured) appears to be some sort of get-rich-quick scheme or other.
This ad then directs through ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?z=BootCamp&dim=335848 to traffic.firedogred.com/content?campaign=1219131&sz=2 (this combination of bootcampmedia.com and firedogred.com has been noted before)
The ad then hops to deliver.amerchibchapowered.com/rotate?m=5;b=2;c=1;z=243826 then content.baalcootymalachi.com/track/3388182/S_SE?[snip] loading an image from img.amerchibchapowered.com along the way.
Finally, the visitor is directed to chohivyb.info/cgi-bin/aer/[snip] which contains an exploit detected as Troj/PDFJs-GI by Sophos.
"Boot Camp Media" is run by a guy called Jamie Dalgetty of Guelph, Ontario in Canada. It's unlikely that he's a bad guy, more likely that his ad network is being exploited by a malcious third party.
traffic.firedogred.com is rather more interesting, multihomed on 69.164.215.204, 69.164.215.205, 69.164.215.207, 69.164.215.208 and 69.164.215.210 at Linode, New Jersey. The domain firedogred.com is slightly interesting:
Registrant:trafficbuyer@gmail.com has been used for these malicious domains for some months and is well known.
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09
Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --
Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --
Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM
deliver.amerchibchapowered.com is also multihomed at Linode on 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203, 74.207.232.205, 74.207.232.206, 74.207.232.248 and 74.207.232.249. The domain was registered on 7th January 2010 and is hidden by DomainsByProxy.
content.baalcootymalachi.com is hosted on 69.164.196.55 at Linode again, again registered on 7th January via DomainsByProxy.
img.amerchibchapowered.com is hosted on a large number of servers at 174.143.243.90, 174.143.243.162, 174.143.243.220, 174.143.245.236, 98.129.236.154, 98.129.236.239, 98.129.236.254, 98.129.237.14, 98.129.238.99, 98.129.238.101, 98.129.238.102, 98.129.238.103, 98.129.238.105, 98.129.238.106, 98.129.238.112, 174.143.241.174, 174.143.242.58, 174.143.242.109 - these are all hosted at Slicehost.com which is a customer of Rackspace.
Finally, chohivyb.info is hosted on 216.150.79.74 which is some outfit called ezzi.net of New York owned by another outfit called AccessIT. No prizes for guessing that chohivyb.info has been registered only very recently with anonymous details.
216.150.79.74 is a well-known malware server, and that hosts the following domains which you can assume are malicious:
- Ablxsr.info
- Ajgdrt.info
- Alevfq.info
- Alfwqr.info
- Alrpsl.info
- Ameronada.info
- Bnzbfz.info
- Bodxmt.info
- Bplimo.info
- Briliantio.info
- Bvqlag.info
- Bzjsqk.info
- Ccwarj.info
- Cityopicos.info
- Clthth.info
- Ctksji.info
- Dasyxe.info
- Dbivoh.info
- Dgltup.info
- Dpuefh.info
- Dtjblp.info
- Enhmqq.info
- Enqpqk.info
- Euespj.info
- Exmxfd.info
- Fblooe.info
- Fdwghs.info
- Fopqde.info
- Fprvsu.info
- Frgbat.info
- Fymjjz.info
- Gelvmf.info
- Gnautw.info
- Gnysgg.info
- Gredotcom.info
- Grupodanot.info
- Grxqog.info
- Gukuny.info
- Gyckjq.info
- Hagijd.info
- Haqdsc.info
- Hgtbng.info
- Hjdnps.info
- Hyiyyi.info
- Iakecg.info
- Iaoaxz.info
- Iewwpn.info
- Ijaflj.info
- Iohbvo.info
- Jhrubd.info
- Jokirator.info
- Kbwstb.info
- Kibfsz.info
- Klamniton.info
- Ktebkx.info
- Kxlglw.info
- Leeloe.info
- Lgcezx.info
- Lkraat.info
- Lktcaj.info
- Llchqs.info
- Lnmrjz.info
- Lokitoreni.info
- Lqhczk.info
- Lywavy.info
- Lyzocu.info
- Mallstern.info
- Manaratora.info
- Megafrontan.info
- Mesxql.info
- Mngmjc.info
- Monsatrik.info
- Montrealt.info
- Mruvienno.info
- Mrvsnq.info
- Nalszu.info
- Ncnzfh.info
- Neiaea.info
- Nigrandara.info
- Njcmug.info
- Npmkrr.info
- Ntaxkj.info
- Obzdkn.info
- Ocftfa.info
- Optugj.info
- Otfcco.info
- Owpwhi.info
- Pbrugb.info
- Plxxii.info
- Pncgfd.info
- Ppusmb.info
- Prbakn.info
- Qdinql.info
- Qgxelo.info
- Qqtwft.info
- Realuqitor.info
- Refrentora.info
- Retuvarot.info
- Rfouce.info
- Rljysj.info
- Rocqdn.info
- Roeaaj.info
- Semqef.info
- Snosrz.info
- Spgsgh.info
- Stqvqw.info
- Swrapz.info
- Tcoqgo.info
- Tehfnn.info
- Top-lister1.info
- Transforltd.info
- Tsfxzg.info
- Tyenxv.info
- Ugrdzf.info
- Uliganoinc.info
- Urupnk.info
- Utpxno.info
- Uyguau.info
- Vbqfdm.info
- Veqibp.info
- Vkfaao.info
- Vwwtlp.info
- Wddifv.info
- Wdhcvv.info
- Wdokxd.info
- Wevoratora.info
- Wtstds.info
- Wvkjxx.info
- Wvlsam.info
- Xbhmws.info
- Xbxynl.info
- Xcisup.info
- Xxiyrv.info
- Ybeaxd.info
- Yfntrg.info
- Yqjxkj.info
- Ywbxen.info
- Zdkaki.info
- Zhwtqz.info
- Zlpbha.info
- Znkwjc.info
- Zqpwco.info
Obviously block or null-route these destinations as you feel fit, and do not purchase any ads from firedogred.com!
Added: You probably want to block these too..
216.150.79.76
- Cacorq.info
- Clxhbz.info
- Dgrxqh.info
- Diwiowano.info
- Dmdurz.info
- Funkol.info
- Geetol.info
- Gitoer.info
- Gondiroda.info
- Gutrandin.info
- Hizfek.info
- Hopore.info
- Ivgzda.info
- Jopqae.info
- Kolpao.info
- Nadotraza.info
- Niraynome.info
- Ofahitino.info
- Oirjsa.info
- Ornotivec.info
- Pirtaf.info
- Popsto.info
- Rellok.info
- Ruhcsy.info
- Sacmtf.info
- Sdoras.info
- Tapiroten.info
- Tiizwb.info
- Traxemere.info
- Ulmqmq.info
- Vivibt.info
- Xsxydj.info
- Yuncdjbiw.info
- Yyoqny.info
216.150.79.77
- Bnodas.info
- Brasilianstoree.info
- Byzypub.info
- Depahugu.info
- Gionasodor.info
- Giratunes.info
- Gyreal.info
- Hlopki.info
- Huerin.info
- Igerinsar.info
- Jcafuzixa.info
- Joketarona.info
- Koevoru.info
- L-iza.info
- Laryju.info
- Manocoraz.info
- Nbuuf.info
- Npefu.info
- Nvihobepo.info
- Pe-aqemop.info
- Pyneh.info
- Retiof.info
- Rzajexu.info
- Tolkienad.info
- Tymane.info
- Typolazu.info
- Vfoxoe.info
- Wanitale.info
- Yawibyve.info
- Ydiuvy.info
- Zoimie.info
Labels:
Bogus Ads,
Linode,
Malvertising,
Viruses
Wednesday 14 October 2009
Suspect ad network leads to PDF exploit
This was picked up from an ad apparently running on grooveshark.com
An ad from ad.technoratimedia.com loads an ad from ad.yieldmanager.com.. so far, pretty normal.
The next step is:
ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?ajecscp=1254835789307&z=BootCamp&dim=335848
This domain is protected by DomainsByProxy, registered in December 2007 and is hosted 208.113.133.105.
The site has the following contact details:
Bootcampmedia.com has a near-zero profile, but it may well be a legitimate company.
After this, the visitor starts to go well off the beaten track. The next hop is traffic.firedogred.com/content?campaign=1219131&sz=2
firedogred.com is registered to:
That email address of trafficbuyer@gmail.com is well known. The subdomain traffic.firedogred.com is dual-homed on 207.57.97.233 and 161.58.56.25 (both NTT America, Inc).
The next hop is show.sheathssubtotal.info/rotate?m=3;b=2;c=0;z=406377
sheathssubtotal.info was regisitered on 17th September with the same "trafficbuyer@gmail.com" contact details as firedogred.com.
show.sheathssubtotal.info is dual homed on 140.174.93.100, 161.58.192.228 (both NTT America, Inc).
Yet another hop, this time to content.neighbanner882.info/track/3388081/S_SE?{munged}
neighbanner882.info was created on 7th August 2009, registered to trafficbuyer@gmail.com (again). content.neighbanner882.info is hosted on 69.164.196.55 at some outfit called Linode.
Yet another hop, this time to winckag.com which is currently down but was hosted on 89.149.251.71 (Netdirekt E.k) who are pretty well known for hosting bad sites (but they may well have nuked this one already, and if so.. well done!)
The owners of winckag.com have something to hide..
This loads an image from img.sheathssubtotal.info/120x600/54019.gif multihomed on 174.143.241.174, 174.143.243.90, 174.143.243.162 (some sort of cloud hosting) and then loads the following:
winckag.com/base/data/p29.php
winckag.com/base/data/vou.png
Those nameservers on 200.63.45.62 are interesting, that's PanamaServer.com who are well known for supporting malware.
Finally, winckag.com appears to try to load a Troj/PDFJs-DY trojan onto the victim's machine.
You should certainly avoid ads running on firedogred.com, sheathssubtotal.info, neighbanner882.info, winckag.com or any domain registered to trafficbuyer@gmail.com. Make up your own mind about Boot Camp Media - these small ad networks are very often targeted by the bad guys, but they really need to get their act together.
An ad from ad.technoratimedia.com loads an ad from ad.yieldmanager.com.. so far, pretty normal.
The next step is:
ads.bootcampmedia.com/servlet/ajrotator/790744/0/vh?ajecscp=1254835789307&z=BootCamp&dim=335848
This domain is protected by DomainsByProxy, registered in December 2007 and is hosted 208.113.133.105.
The site has the following contact details:
Address
Bootcamp Media
121 Wyndham St. N.
Suite 202
Guelph, Ontario, Canada
N1H 4E9
Phone
1-519-515-0094
Fax
1-519-515-0151
Bootcampmedia.com has a near-zero profile, but it may well be a legitimate company.
After this, the visitor starts to go well off the beaten track. The next hop is traffic.firedogred.com/content?campaign=1219131&sz=2
firedogred.com is registered to:
Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FIREDOGRED.COM
Created on: 15-Sep-09
Expires on: 15-Sep-10
Last Updated on: 15-Sep-09
Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --
Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
(800) 555-1212 Fax --
That email address of trafficbuyer@gmail.com is well known. The subdomain traffic.firedogred.com is dual-homed on 207.57.97.233 and 161.58.56.25 (both NTT America, Inc).
The next hop is show.sheathssubtotal.info/rotate?m=3;b=2;c=0;z=406377
sheathssubtotal.info was regisitered on 17th September with the same "trafficbuyer@gmail.com" contact details as firedogred.com.
show.sheathssubtotal.info is dual homed on 140.174.93.100, 161.58.192.228 (both NTT America, Inc).
Yet another hop, this time to content.neighbanner882.info/track/3388081/S_SE?{munged}
neighbanner882.info was created on 7th August 2009, registered to trafficbuyer@gmail.com (again). content.neighbanner882.info is hosted on 69.164.196.55 at some outfit called Linode.
Yet another hop, this time to winckag.com which is currently down but was hosted on 89.149.251.71 (Netdirekt E.k) who are pretty well known for hosting bad sites (but they may well have nuked this one already, and if so.. well done!)
The owners of winckag.com have something to hide..
Registrant:
Contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
Domain name: WINCKAG.COM
Administrative Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
Technical Contact:
contactprivacy.com, winckag.com@contactprivacy.com
96 Mowat Ave
Toronto, ON M6K 3M1
CA
+1.4165385457
Registration Service Provider:
domainsnext.com, Sales@DomainsNext.com
+1.9494979623
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 04-Oct-2009.
Record expires on 04-Oct-2010.
Record created on 04-Oct-2009.
Registrar Domain Name Help Center:
http://domainhelp.tucows.com
Domain servers in listed order:
NS1.WINCKAG.COM 200.63.45.62
NS2.WINCKAG.COM 200.63.45.62
This loads an image from img.sheathssubtotal.info/120x600/54019.gif multihomed on 174.143.241.174, 174.143.243.90, 174.143.243.162 (some sort of cloud hosting) and then loads the following:
winckag.com/base/data/p29.php
winckag.com/base/data/vou.png
Those nameservers on 200.63.45.62 are interesting, that's PanamaServer.com who are well known for supporting malware.
Finally, winckag.com appears to try to load a Troj/PDFJs-DY trojan onto the victim's machine.
You should certainly avoid ads running on firedogred.com, sheathssubtotal.info, neighbanner882.info, winckag.com or any domain registered to trafficbuyer@gmail.com. Make up your own mind about Boot Camp Media - these small ad networks are very often targeted by the bad guys, but they really need to get their act together.
Labels:
Linode,
Malvertising,
Malware,
PDFs
Subscribe to:
Posts (Atom)